NGINX-Configs/etc/nginx/snippets/cross-origin-security.conf

# CORP, COOP, and COEP headers
# Meant to be used globally, but some apps may need a manual overwrite, so this is split out from security.conf

proxy_hide_header Cross-Origin-Resource-Policy;
add_header Cross-Origin-Resource-Policy "same-origin" always;

proxy_hide_header Cross-Origin-Opener-Policy;
add_header Cross-Origin-Opener-Policy "same-origin" always;

# Change COEP to "credentialless" when supported by Safari
# https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless
proxy_hide_header Cross-Origin-Embedder-Policy;
add_header Cross-Origin-Embedder-Policy "require-corp" always;
Split out cross origin security headers 2024-06-25 15:10:02 -07:00			`# CORP, COOP, and COEP headers`
			`# Meant to be used globally, but some apps may need a manual overwrite, so this is split out from security.conf`

			`proxy_hide_header Cross-Origin-Resource-Policy;`
Add quotation marks 2024-06-25 15:17:43 -07:00			`add_header Cross-Origin-Resource-Policy "same-origin" always;`
Split out cross origin security headers 2024-06-25 15:10:02 -07:00
			`proxy_hide_header Cross-Origin-Opener-Policy;`
Add quotation marks 2024-06-25 15:17:43 -07:00			`add_header Cross-Origin-Opener-Policy "same-origin" always;`
Split out cross origin security headers 2024-06-25 15:10:02 -07:00
Add note for credentialless 2025-01-03 08:22:55 -07:00			`# Change COEP to "credentialless" when supported by Safari`
			`# https://developer.mozilla.org/en-US/docs/Web/API/Window/credentialless`
Restrict CORP 2024-06-25 15:15:59 -07:00			`proxy_hide_header Cross-Origin-Embedder-Policy;`
Move Access-Control-Max-Age to security.conf 2025-01-03 09:31:47 -07:00			`add_header Cross-Origin-Embedder-Policy "require-corp" always;`